dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
21

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

1 recommendation

rchandra to leibold

Premium Member

to leibold

Re: [ipv6] IPV6 advantage

One thing to clarify for our readers though, if I understand this correctly...IPSec is mandatory to implement in IPv6, but not mandatory to utilize. All this means is that to be IPv6 compliant, if a connection comes into me requesting IPSec, I must interchange packets using IPSec. When I initiate connections, it's my option whether to employ IPSec for that connection or not.

It's been my experience that the vast majority of IPv6 traffic does NOT have IPSec applied to it.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

You are absolutely correct and I apologize if my comment mislead anybody into thinking otherwise.

Just using IPv6 doesn't mean all traffic is encrypted, however any standard compliant implementation of IPv6 must support and accept encrypted connections. This does make it easier to establish encrypted connections (vendor and platform independent).
cramer
Premium Member
join:2007-04-10
Raleigh, NC

1 recommendation

cramer to rchandra

Premium Member

to rchandra
I thought they backed off the IPSec integration to make life easier on embedded platforms. (ipsec is not a tiny bit of code)

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

rchandra

Premium Member

It's problematic anyway. Suppose I generate my own key and run an IKE daemon. How do you know me from the billiions of potential other people connected to the Internet? How can you assure yourself that there is no MitM attack going on? It's nigh on impossible.

The FreeSWAN folks attempted to get users to use Opportunistic Encryption as they called it. I think for the MitM/no PKI reasons it was never widely implemented. It was an extremely good (and ambitious) idea but I'm not too sure it had a secure foundation.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to cramer

MVM

to cramer
It's not that large.

m0n0wall has IPSec and the released version fits into a 16MB CF easily. The next release beta needs more but still fit easily into 32MB.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold to cramer

MVM

to cramer
I had read earlier discussions (pros and cons) for eliminating the mandatory implementation of IPSEC but my impression was that the status quo (IPSEC is mandatory in IPv6) was maintained.

I see now that RFC 6434 obsoletes an earlier IPv6 RFC about IPv6 Node Requirements (RFC 4294) and replaces the original MUST implement IPSEC with SHOULD implement (a weaker statement that allows omitting it).

Thanks for pointing that out.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to graysonf

Premium Member

to graysonf
Think "1MB flash" embedded devices. And the RAM required to actually run an IPv6 stack. Add those together and you have a long list of things out there that will absolutely never support IPv6. (and, btw, IPv6 ipsec is a lot more complex than a builtin https server.)

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Tell me about a few 1MB flash devices out there. m0n0wall with IPSec runs comfortably in 128MB of RAM, and if you had to have a 128MB stick of RAM you'd have to look on the surplus market.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

1 recommendation

cramer

Premium Member

What part of "embedded devices" did you miss? I'm not talking about your laptop or desktop computers. I'm talking about purpose built, fixed configuration devices. There are thousands of linksys, netgear, dlink, etc. devices that have very little flash and ram -- pretty much everyone has at least one of these in their house... a cable modem, or a dsl modem/router. (only recently made one have or (maybe) will have v6 support.) Not to mention the millions of other various IP connected devices... print servers, tv's, alarm/security systems, power monitors/switches, etc., etc. So many things we completely forget about many of them.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105
ARRIS ONT1000GJ4
EnGenius EAP1250

1 recommendation

rchandra

Premium Member

Thing is, when users of those devices realize the marginal utility of continuing to operate them, they will get "kicked to the curb"....much like many of the CRT and NTSC televisions are these days. Hardly a trash pickup day goes by on which I'm driving that I don't see at least one CRT-based TV set out for pickup. It's sad to see that kind of electronics waste, but with the ATSC transition, it was nearly inevitable.